WordPress Security Guide - 20 Steps to Secure Your Website

July 17, 2019

WordPress claims it powers more than 30% of the top 10 million sites on the web. It’s no wonder that security is so important. As one of the most popular CMS, it’s the top target for hackers. Let me share this WordPress Security Guide with 20 steps in it! Most of them can be applied right now to your website but some are much rather a tip for website owners and website managers. Make sure you make a backup before applying an advanced security tip to your website.

1. Keep your core, plugins and themes updated

Your WordPress website is built of three components:

  1. Core - WordPress itself
  2. Themes
  3. Plugins

If any of these components are outdated, it’s likely that your website will be compromised. Almost every exploit of WordPress is publicly available so hackers are usually running scripts to find vulnerable websites. Update every component as soon as an update is available. Make sure to backup your website before updating and don’t forget to test it after updating. It’s recommended to do the updates on a staging server if your website is complex or mission-critical.

2. Use well-supported plugins

Plugins are the most common culprit of being compromised. Since you have multiple plugins installed, the chance that your website will have a security hole is increased by every installed plugin. Avoid plugins that haven’t been updated for a long time - avoid abandoned plugins. Check when was the last time the author updated the plugin. You can see this in the plugin’s details, called “Last Updated”. Make sure to use a plugin that has been updated not later than 2-3 months. Don’t take this number granted, there are exceptions. Count of active installations is a good way to determine how popular is a plugin. More people use it, it’s more likely that developers will care about keeping it updated and secure. It’s advisable to check the support forum of the plugin to see if anything bad has been going on lately.

3. Use a well-supported theme

Themes are a high risk as well. Since that’s what drives your whole website, it’s common to be hacked through the theme’s vulnerabilities. Make sure the developer regularly updates the theme and keeps it secure. Active installations count and last updated date play a huge role here as well. Try to do some research about the author before deciding on the theme. In this page-builder-era right now, you should either use the theme provided by the page builder or use a theme that’s recommended by the author of the page builder plugin.

4. Choose a reliable web hosting

There are many security options on the server level. If your hosting doesn’t take security seriously, you are in big trouble. I am pretty sure your website is running on shared hosting. It’s called shared for a reason. Imagine a hacker compromises a website and somehow finds a way to access hosting’s file system because of a bad setup of security on the server level. That means the hacker will have access to EVERY website on the host’s server. So it doesn’t matter how secure your website is if your hosting is insecure. Someone else gets hacked on the shared hosting and your website will be down as well. Make sure you choose a reliable and secure hosting company, such as SiteGround. Also, if hosting is cheap then there is a reason for that. Do some background check before deciding on the hosting.

5. Suppress login error message

To avoid leaking out your email address or username, make sure to disable the login hint messages. When you try to login with an existing username or email address, WordPress tells you that the password is wrong. That means if a hacker is trying to log in, but don’t know the username, then he can try a few usernames with a random password. If one of the usernames is correct then WordPress will tell that to the hacker. You can use a one-line-snippet to disable the message totally. Append this snippet to your functions.php:

add_filter( 'login_errors', '__return_empty_string' );

Note: If you have a WordPress website that lets your users log in (for example e-commerce and membership websites), use a useful message like this:

function ld_login_errors() {
  return "Sorry, either the username or password is wrong.";
}

add_filter( 'login_errors', 'ld_login_errors' );

The code above will tell the user that either the username or password is wrong. This way your website won’t give away any vital information.

6. Limit login attempts

Brute-force is a common way to compromise a website. Brute-force is when someone keeps trying every possible password combination until they successfully get in. To avoid brute-force attacks, you should install a plugin that limits the login attempts. I recommend using Limit Login Attempts Reloaded because it’s simple and effective. The plugin will limit the login attempts by default so you don’t even need to do anything. Though you might want to tweak the settings of it, so make sure to check it out in your admin panel.

7. Use strong passwords

Using weak and common passwords is a big no-no. Even if you limit the login attempts, you should minimize the possibility of someone guessing your password. Either use a randomly generated strong password or a complex password that you can remember. If you use a randomly generated password, make sure to make it as long as possible. Possibly 24-32 characters long.

password strength comic from XKCD

Too bad, that us - humans - have been trained to use randomly generated strings as passwords. There is more to a secure password than just generating random strings. (Comic is from XKCD (https://xkcd.com/936/)

8. Don’t use common usernames

Another way to minimize the guessing game. Don’t use admin, administrator or any other common username. I usually use a prefix and a randomly generated string. For example admin_aPo51xWqTn.

9. Hide login page

One more step to prevent unauthorized logins. If the hackers don’t know where to log in, then they can’t log in. It’s that simple. So go on and use a custom URL for your login page. The easiest way to set this up is to use a plugin. I usually recommend WPS Hide Login. It’s widely used and the author keeps it up-to-date. As you might know by now, I am a big fan of generating random string. So I usually end up with something like /login-LOZmXb9Tq9u.

10. Use SSL/HTTPS

To avoid leaking out your data when poking around in the admin dashboard, you should use the admin dashboard on a secure connection: HTTPS. If you do this, the data between the server and your browser will be encrypted. Which means other users on the network won’t be able to see the data that’s going between the server and your browser. Even if your website doesn’t have an e-commerce functionality or anything that requires your visitors to input their information, this is a must-have nowadays. Also, encrypting your login details when logging into the WordPress admin dashboard never hurts. Oh and don’t forget, HTTPS boosts your ranking on Google. If you aren’t familiar with SSL/HTTPS, you can read more about HTTP vs HTTPS and how HTTPS works here. Nowadays this is basic knowledge, because we are already living in it. Forgetting about it, or simply just not using this will compromise your website. So, all in all it is a must have!

11. Force HTTPS

Make sure all your visitors are forced to use an HTTPS connection. You can do this by appending the code snippet below to your .htaccess file. Before adding this code to your .htaccess file, make sure your website is set up to be served through HTTPS. You might lose access to the website if it’s not set up correctly. If you can’t access your website anymore, remove the code and it should be working again.

# BEGIN Force HTTPS
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
# END Force HTTPS

I don’t recommend using a plugin for this since it’s very easy to set this up. Even for non-techies. Another reason against such plugins is that they slow down your website. Please bear in mind, this code won’t work for every WordPress website. For example this might not work properly with WP Super Cache without tweaking the code. Since every website is different, it’s better to leave this to a WordPress expert. Though this code should work for most of the websites!

Usually, plugins also fix mixed-content problems. The mixed-content problem occurs when you connect to your website through HTTPS, but other resources are loaded through HTTP. For example, you use absolute URLs to embed images, but you used http:// instead of https://. Then you open your website through https:// and BOOM! Your browser will tell you that the connection to the site is not fully secure. I guess you don’t want your visitors to see that. Also, mixed-content causes other security issues, like the man-in-the-middle attack. If your scripts or styles are loaded through HTTP while connecting to a site through HTTPS, those resources will be blocked and your site won’t work.

Since plugins that fix mixed-content problem use output search-and-replace, they slow down your website. This means: before sending your website to the visitor, the plugin goes through the whole data to find and replace http:// with https://. That’s a lot of computing power wasted there…

Instead of using a plugin to replace all the http:// with https:// on every page load, you should use a WordPress plugin called Better Search Replace. After doing so, make sure to add the .htaccess code snippet that I mentioned above. So your visitors won’t be able to access your site through a non-secure connection.

12. Remove WordPress Version number

Since many exploits are publicly available, you should hide what WordPress version you are using. Although this won’t help in hiding that your website is running on WordPress, it still worth doing this since the hackers won’t be able to identify the version of your WordPress.

The code below will remove the version number from both the head tag and RSS feed:

remove_action( 'wp_head', 'wp_generator' );
add_filter( 'the_generator', '__return_empty_string' );

I think this takes very little effort to add to your site. Even if it only makes your website 1% more secure it worth adding this tiny code snippet to your functions.php.

13. Change WordPress Table Prefix

To avoid SQL injection attacks, I recommend setting your WordPress database prefix to something unique. As you might already know, by default WordPress uses the wp_ table prefix. Such as wp_users. Changing the prefix to something like mywebsite_ could save you from an SQL injection attack. I usually generate a random string like this: mV4MlsWfXE_. Since this can break your site, you should be careful doing this. Create a backup before doing this on your website. This is a little bit complicated to do, so I recommend you to find a WordPress expert to do it for you.

14. Use quality themes

I am pretty sure you love blazing fast websites. Usually, a theme determines the foundation, but often the whole structure of a WordPress website. Though this is a bit different since the page-builder-plugins-era, it’s still very important to use a lightweight, fast theme. If you are using a page builder plugin, make sure to use as a lightweight theme as possible. The page builder plugin will add its own weight to the website.

If you aren’t using a page builder, then always try to find a theme that closely matches all the features you need. You should either get a theme that has fewer features than what you really need and use plugins to add the rest or use a theme’s full potential. This way you can minimize the wasted resources and unused features.

15. Use quality plugins

Plugins are one of the components that drive your whole website. Make sure they are high-quality, well supported and not into slowing down your website. Double check the company/developer behind the plugin you want to use or buy. Do some background check, read reviews and check the important metrics such as active installations. Premium plugins are premium for reason. Well, the way they should be. This doesn’t mean that your WordPress website should only use premium/paid plugins. There are many high-quality free plugins, but often premium plugins offer better performance, more features. Or it might just simply solve one problem efficiently. Either way, do a proper background check before deciding on buying a premium plugin or installing a free one.

16. Delete unused themes

You should have the least amount of moving parts on your WordPress website. By deleting every unused theme, you can avoid your website being compromised through a theme vulnerability. Even if the theme is inactive, it might have a security hole that can be exploited. It doesn’t matter if it’s active or inactive in that case. You don’t need those themes anyway if they aren’t activated, so it doesn’t make sense to have more than one child theme and one parent theme.

17. Delete unused plugins

If a plugin has a security hole, it doesn’t matter if it’s activated or disabled. Your website can be compromised through a disabled plugin that’s vulnerable. WordPress website owners tend to forget updating disabled plugins, which is a huge security risk. Either keep them up-to-date or if you don’t use them at all just delete them. You can reinstall them anytime if you need them for some reason. I am using a couple of utility plugins that I reinstall time to time. Or I just make sure they are always up-to-date. Better Search Replace and WP File Manager are plugins like that.

18. Avoid themes and plugins from unofficial sources

Don’t use any nulled plugin or theme. I know it can be appealing to get premium plugins for free but think about it. Someone can easily alter the source code of the plugin and inject their malware into it. Exposing a backdoor to your website, or just simply collecting all the data from your website. Think twice before using any plugin or theme from an unofficial source.

19. Avoid public networks

Though this is kind of irrelevant if you use HTTPS since your connection is encrypted between the server and your browser. But… Even if they can’t see the traffic, the hackers could compromise your laptop. Your computer is a layer as well if someone gets into your computer your website might get hacked as well. Also, when you are in a public place, make sure no one is behind you when typing in your password. It might sound funny, but this kind of password-stealing happens.

20. Backup your website regularly

No websites are perfect. Even Facebook and Google have been hacked. That’s why you should always have backups to restore in case of chaos. Before restoring, you should find out how your website was compromised and fix it on a private server. You don’t want to fall into the same trap again. If you are using a plugin to backup your website, make sure to move some of your backups off the server. Most of the plugins support several cloud storage, like Google Drive or Dropbox. Storing all those backups locally on your hosting can lead to huge chaos. If a hacker gains full access to your website, they can just simply delete your backups. I guess you don’t want to recreate your website from zero again. Either store all backups off-site or move some backups off-site regularly. Storing daily backups on your server is OK, but make sure you move one backup file off-site every week. Though this depends on the complexity of your website. If you are running an e-commerce website you might want to store all daily backups off-site. Also, never store critical files at one place only. If for some reason you lose the files at that one very place, you are back to zero again. So don’t forget to backup your backup!

Even if your hosting includes an automatic backup service, I still recommend installing a backup plugin for the reasons above. If you are looking for a hosting that includes automatic backup, then SiteGround is one of them. The plugin I usually use and recommend is one of the most popular free backup plugins for WordPress: UpdraftPlus WordPress Backup Plugin. It can backup your WordPress files and database automatically. Don’t forget to configure it after installing. By default, it doesn’t backup automatically!

More Coming…

This article is always going to be about WordPress Security. I’ll keep adding more and more steps and tips by the time, so stay tuned!

I’ve spent countless hours working on WordPress websites. By the years I’ve accumulated tremendous experience, so it was time to share it! Have a wonderful secure day!


David Szabo
Web Wizard

Hey, David here. Hope you enjoyed reading this article. I don't have many posts here yet, but keep tuned! Thanks for reading, have a nice day!

Follow me on Facebook and Twitter!

You might love these posts too

Google Analytics Best Practices That'll Save You From Mess

Google Analytics is a really powerful tool. But such power comes with many-many configurable options and features. It’s easy to mess up your data and you won’t notice it until you want to take a look at the reports. But that’s too late… Prevent the mess with these best practices. Don’t worry, they are simple and easy!
David Szabo
Jun 27, 2019